CVE-2022-2353

Published: Jul 9, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.

Affected (1)

Products: Microweber: Microweber

Microweber

1 product

Microweber

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Microweber Microweber	Before 1.2.20

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://github.com/microweber/microweber/commit/79c6914bab8c9da07ac950fda17648d08c68b130

Source: security@huntr.dev

PatchThird Party Advisory

https://huntr.dev/bounties/7782c095-9e8c-48b0-a7f5-3a8f52e8af52

Source: security@huntr.dev

ExploitPatchThird Party Advisory

https://github.com/microweber/microweber/commit/79c6914bab8c9da07ac950fda17648d08c68b130

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://huntr.dev/bounties/7782c095-9e8c-48b0-a7f5-3a8f52e8af52

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.